[kirkstone,35/35] wic: make ext2/3/4 images reproducible

Message ID	da2c64b3158c58eb0a484d3acbdf0419df2d34e8.1668952942.git.steve@sakoman.com
State	Accepted, archived
Commit	da2c64b3158c58eb0a484d3acbdf0419df2d34e8
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.54, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 35/35] wic: make ext2/3/4 images reproducible Date: Sun, 20 Nov 2022 04:15:24 -1000 Message-Id: <da2c64b3158c58eb0a484d3acbdf0419df2d34e8.1668952942.git.steve@sakoman.com> In-Reply-To: <cover.1668952942.git.steve@sakoman.com> References: <cover.1668952942.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/35] dbus: fix CVE-2022-42010 Check brackets in signature nest correctly \| expand [kirkstone,01/35] dbus: fix CVE-2022-42010 Check brackets in signature nest correctly [kirkstone,02/35] dbus: fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length… [kirkstone,03/35] dbus: fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd indexes if need… [kirkstone,04/35] systemd: CVE-2022-3821 Fix buffer overrun [kirkstone,05/35] Revert "expat: backport the fix for CVE-2022-43680" [kirkstone,06/35] expat: upgrade to 2.5.0 [kirkstone,07/35] lttng-tools: Upgrade 2.13.4 -> 2.13.8 [kirkstone,08/35] lttng-tools: submit determinism.patch upstream [kirkstone,09/35] lttng-modules: upgrade 2.13.5 -> 2.13.7 [kirkstone,10/35] bind: upgrade 9.18.7 -> 9.18.8 [kirkstone,11/35] socat: upgrade 1.7.4.3 -> 1.7.4.4 [kirkstone,12/35] libxcrypt: upgrade 4.4.28 -> 4.4.30 [kirkstone,13/35] sudo: upgrade 1.9.10 -> sudo 1.9.12p1 [kirkstone,14/35] oeqa/selftest/lic_checksum: Cleanup changes to emptytest include [kirkstone,15/35] oeqa/selftest/minidebuginfo: Create selftest for minidebuginfo [kirkstone,16/35] glibc-locale: Do not INHIBIT_DEFAULT_DEPS [kirkstone,17/35] package: Fix handling of minidebuginfo with newer binutils [kirkstone,18/35] archiver: avoid using machine variable as it breaks multiconfig [kirkstone,19/35] cargo_common.bbclass: Fix typos [kirkstone,20/35] groff: submit patches upstream [kirkstone,21/35] tcl: correct patch status [kirkstone,22/35] kea: submit patch upstream [kirkstone,23/35] ovmf: correct patches status [kirkstone,24/35] libffi: submit patch upstream [kirkstone,25/35] bluez5: Point hciattach bcm43xx firmware search path to /lib/firmware [kirkstone,26/35] get_module_deps3.py: Check attribute '__file__' [kirkstone,27/35] bitbake.conf: Drop export of SOURCE_DATE_EPOCH_FALLBACK [kirkstone,28/35] libuv: fixup SRC_URI [kirkstone,29/35] systemd: Consider PACKAGECONFIG in RRECOMMENDS [kirkstone,30/35] kernel.bbclass: Include randstruct seed assets in STAGING_KERNEL_BUILDDIR [kirkstone,31/35] gcc-shared-source: Fix source date epoch handling [kirkstone,32/35] gcc-source: Fix gengtypes race [kirkstone,33/35] gcc-source: Drop gengtype manipulation [kirkstone,34/35] gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't change [kirkstone,35/35] wic: make ext2/3/4 images reproducible

Message ID

da2c64b3158c58eb0a484d3acbdf0419df2d34e8.1668952942.git.steve@sakoman.com

State

Accepted, archived

Commit

da2c64b3158c58eb0a484d3acbdf0419df2d34e8

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 35/35] wic: make ext2/3/4 images reproducible
Date: Sun, 20 Nov 2022 04:15:24 -1000
Message-Id: 
 <da2c64b3158c58eb0a484d3acbdf0419df2d34e8.1668952942.git.steve@sakoman.com>
In-Reply-To: <cover.1668952942.git.steve@sakoman.com>
References: <cover.1668952942.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/35] dbus: fix CVE-2022-42010 Check brackets in signature nest correctly | expand

Commit Message

Steve Sakoman Nov. 20, 2022, 2:15 p.m. UTC

From: Sergei Zhmylev <s.zhmylev@yadro.com>

Ext2/3/4 FS contains not only mtime, but also ctime, atime and crtime.
Currently, all the files are being added into the rootfs image using
mkfs -d functionality which affects all the timestamps excluding mtime.
This patch ensures these timestamps inside the FS image equal to
the SOURCE_DATE_EPOCH if it is set.

Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 75d2dd0ea7790db2e8ee921784ca373abff2df65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/wic/partition.py | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index 7c288d2958..5563f4448a 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -293,17 +293,36 @@  class Partition():
                 f.write("cd etc\n")
                 f.write("rm fstab\n")
                 f.write("write %s fstab\n" % (self.updated_fstab_path))
-                if os.getenv('SOURCE_DATE_EPOCH'):
-                    fstab_time = int(os.getenv('SOURCE_DATE_EPOCH'))
-                    for time in ["atime", "mtime", "ctime"]:
-                        f.write("set_inode_field fstab %s %s\n" % (time, hex(fstab_time)))
-                        f.write("set_inode_field fstab %s_extra 0\n" % (time))
             debugfs_cmd = "debugfs -w -f %s %s" % (debugfs_script_path, rootfs)
             exec_native_cmd(debugfs_cmd, native_sysroot)
 
         mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs)
         exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
 
+        if os.getenv('SOURCE_DATE_EPOCH'):
+            sde_time = hex(int(os.getenv('SOURCE_DATE_EPOCH')))
+            debugfs_script_path = os.path.join(cr_workdir, "debugfs_script")
+            files = []
+            for root, dirs, others in os.walk(rootfs_dir):
+                base = root.replace(rootfs_dir, "").rstrip(os.sep)
+                files += [ "/" if base == "" else base ]
+                files += [ base + "/" + n for n in dirs + others ]
+            with open(debugfs_script_path, "w") as f:
+                f.write("set_current_time %s\n" % (sde_time))
+                if self.updated_fstab_path and self.has_fstab and not self.no_fstab_update:
+                    f.write("set_inode_field /etc/fstab mtime %s\n" % (sde_time))
+                    f.write("set_inode_field /etc/fstab mtime_extra 0\n")
+                for file in set(files):
+                    for time in ["atime", "ctime", "crtime"]:
+                        f.write("set_inode_field \"%s\" %s %s\n" % (file, time, sde_time))
+                        f.write("set_inode_field \"%s\" %s_extra 0\n" % (file, time))
+                for time in ["wtime", "mkfs_time", "lastcheck"]:
+                    f.write("set_super_value %s %s\n" % (time, sde_time))
+                for time in ["mtime", "first_error_time", "last_error_time"]:
+                    f.write("set_super_value %s 0\n" % (time))
+            debugfs_cmd = "debugfs -w -f %s %s" % (debugfs_script_path, rootfs)
+            exec_native_cmd(debugfs_cmd, native_sysroot)
+
         self.check_for_Y2038_problem(rootfs, native_sysroot)
 
     def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,

[kirkstone,35/35] wic: make ext2/3/4 images reproducible

Commit Message

Patch